Skip to main content
Version: 10.3.0

Single Registration

Passwordless Authentication using mobile devices as authenticators enhances application security and simplifies user experiences. Users can register their mobile devices to the desktop using the HYPR WFA client for passwordless login to their desktop and to protected browser web applications. The authentication user experience can be taken to the next level by allowing users to register their mobile device only once using the HYPR single registration mechanism. This single registration allows users to carry out passwordless login to their desktop and protected web applications without having to register their mobile devices additionally.

Single registration can be achieved in two ways:

  • Workstation to Web: Register once on the workstation for access to both workstation and web applications
  • Web to Workstation: Register once on the web for access to both web applications and workstation

Deployment Strategy

Workstation to Web Single Registration

Overview

Workstation to Web Single Registration is a one-way registration traffic that allows users to initiate and complete the registration ceremony a single time using the HYPR WFA Client. Users don't have to register explicitly to the configured web applications. After this single registration ceremony, users can log in to their desktop and web applications.

Registration workflow for a new user (no existing registration):

Registration workflow for a new web profile (user already has an existing web profile):

Registration workflow for a new workstation account (user already has an existing registered workstation):

Key Facts

  • From the user's perspective, it is a one-time registration experience
  • From the backend's perspective, the HYPR Server creates both desktop and web profiles
  • This single registration process doesn't stop users from registering explicitly to the web application
  • If users register explicitly to the web application, the web registered profile is not linked with the desktop profile
  • Users can create multiple desktop profiles for the same user from multiple desktop machines
  • All desktop profiles are linked with only one web profile
  • Desktop profile deregistration on any desktop machine deletes that desktop profile and the associated web profile

Prerequisites

  • Create and configure rpApp for Workstation
  • Create and configure rpApp for all web applications
  • Install the HYPR WFA Client

Configuration

Enable the following feature flags:

On Workstation rpApp level:

  • WEB_LOGIN_WITH_WFA_REGISTRATION

On Web rpApp level:

  • WEB_TO_WS_SINGLE_REGISTRATION_TRANSLATION
  • RP_APP_WORKSTATION_ENABLED

After enabling the feature flags, upload your AD CS domain CA certificate to HYPR Control Center:

  1. Export the domain certificate from your AD CS server in DER format (base64-encoded).
  2. Upload the certificate to HYPR CC using the following API call:
    • API URL: https://<HOST>/rp/api/domaincertificate
    • Request Type: POST
    • Request Payload: { "domainCertificate": "<Base64Encoded>" }
    • Authorization: Bearer <AdminToken>
curl --location \
--request POST "https://HOST/rp/api/domaincertificate" \
--header "Authorization: Bearer hypap-edba607b-b400-4c57-9d3d-839a6e07a6f1" \
--header "Content-Type: application/json" \
--data '{
  "domainCertificate": "MIIDczCCAlugAwIBAgIQS0n13f/8s5Np+dFMzF++0TANBgkqhkiG9w0BAQsFADBM-RMwEQYKCZImiZPyLGQBGRYDbmV0MRcwFQYKCZImiZPyLGQBGRYHaHlwcmxhYjEcMBoGA1UEAxMTaHlwcmxhYi1BRFNFUlZFUi1DQTAeFw0yMjA4MTEyMzQ4MTZaFw0zMjA4MTEyMzU4MTVaMEwxEzARBgoJkiaJk/IsZAEZFgNuZXQxFzAVBgoJkiaJk/IsZAEZFgdoeXBybGFiMRwwGgYDVQQDExNoeXBybGFiLUFEU0VSVkVSLUNBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuDnPO/GZ1HeNMj1X+yDu46oK1x4mnC8aBDUwVlpzcEv4heLuAWZT/dFVFKKZSNQxbAMubuNwFepySrgp7ThBVp4BGBq7b/LmjZJD9oeqpBhKnryIfYSqLbxY3J2h5YtjQiR7nRr9iNyfT+8I91yyhn95sdtNEyeENlyI+dz41bAj/PksJVtdxhI/ClnJTVSCHFid42jcta0VKgfnmRfvvobX2rOpgmKhAYr9fNZ67TlzTTjji8Hz4vpQGm/9fiLKim4idAksTo1x/w0mOLSbaHTZ/qAUdTyye6aDDw1g9xap3cXPRX82Lstq/4CbhNZRHg1QfFMamghb6siX9KXOhQIDAQABo1EwTzALBgNVHQ8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUG9IOpL+oXX7mlkOKNqFPWb/hmp0wEAYJKwYBBAGCNxUBBAMCAQAwDQYJKoZIhvcNAQELBQADggEBAEGU/5V1evJKwTFaac6MnA02Pgwvmaer8Gycun4cAJbd9HUtenKcw8+oryojouniJ7Bm7NTrGPHDFgTxg1P9fdA8DE8nVCidCYiN3iJOzQ5v593eK08SxExEGOIcFveOZf0uAXgtr2UkqTBp2K8RYUT5nTpjBXUMcQdHO1fXYJ/cKqH25CiGqMwUQx+aNWzc7/LT4nX9A9zMiwALD1IbTZOlzU7R8mt0A3IZClJJvCl9PdAcpqiHqAUnq8ojJN0neeANJyiXixedrTp6gxEpGWV7tR2NuYesnwjFtV2jV0VdcYVmDQVtqdpkxbx93re2IGhNqO+H0Pujtie2TTv7J4kE="
}'

User Experience

When you receive an invitation email, follow these steps:

  1. On the workstation, start the HYPR Passwordless client if it isn't running already
  2. Click Start Pairing in the HYPR Passwordless client
  3. If you already have a device paired, click Pair New Device
  4. Select Smartphone and a QR code appears in the dialog
  5. On the HYPR Mobile App, click the pairing label to open the account screen
  6. Grant access to the Camera, if necessary, and scan the QR on the workstation screen
  7. After completion, the HYPR Mobile App displays the pairing on your phone as both a Computer Account and a Web account

Deregistration workflow:

Web to Workstation Single Registration

Overview

Web to Workstation Single Registration is a one-way registration traffic that allows users to initiate and complete the registration ceremony a single time using the browser web application interface. Users don't have to register explicitly to the desktop using the HYPR WFA Client. After this single registration ceremony, users can log in to desktop and web applications.

Registration workflow for a new web profile (no existing web profile for user):

Registration workflow for a new web profile (user already has an existing web profile):

Registration workflow for a new workstation account (user already has an existing registered workstation):

Key Facts

  • Web to Workstation Single Registration uses one-way registration traffic: you register from the web application, and HYPR links your desktop and web profiles automatically
  • You only need to complete the registration ceremony once in your browser—no need to register separately on your desktop with the HYPR WFA Client
  • After this single, seamless experience, you can log in to both your desktop and web applications without extra steps
  • HYPR creates both your desktop and web profiles in the background, so you get unified access with minimal effort

Prerequisites

  • Create and configure rpApp for Workstation
  • Create and configure rpApp for all web applications
  • Deploy and configure the HYPR Enrollment Service
  • Install the HYPR WFA Client (Optional)

Configuration

Enable the following feature flags:

On Global level:

  • WINDOWS_WEB_ENROLLMENT

On Web rpApp level:

  • ASYNC_REGISTRATION
  • WINDOWS_WEB_ENROLLMENT
  • RP_APP_WORKSTATION_ENABLED
  • WEB_TO_WS_SINGLE_REGISTRATION_TRANSLATION
  • VIRTUAL_DESKTOP_INFRASTRUCTURE
  • ENDPOINT_API_SECURITY_TOKEN_DEVICE (Enabled by Default)
  • ENDPOINT_API_SECURITY_TOKEN_WORKSTATION (Enabled by Default)

On Workstation rpApp level:

  • WINDOWS_WEB_ENROLLMENT
  • RP_APP_WORKSTATION_ENABLED
  • VIRTUAL_DESKTOP_INFRASTRUCTURE
  • ENDPOINT_API_SECURITY_TOKEN_DEVICE (Enabled by Default)
  • ENDPOINT_API_SECURITY_TOKEN_WORKSTATION (Enabled by Default)

HYPR Enrollment Service

Overview

The HYPR Certificate Enrollment Service manages authentication certificates for end users enrolling with the web application registration interface or Device Manager. When users add a new mobile device to the web application using the registration interface, the HYPR CC Server queues up the certificate request.

Key Facts

  • The Enrollment Service interacts with the HYPR CC Server by polling for pending certificate requests
  • The service then sends back the encrypted certificate to the CC server
  • The CC Server transports the certificate to the user's mobile device
  • Interaction is controlled by the feature flag WINDOWS_WEB_ENROLLMENT

Installation Requirements

  • Distributed as an MSI installer package (HyprEnrollmentService_x64.msi)
  • Must be installed on a Windows Server with network connectivity to AD CS
  • The Windows Server must have .NET Framework enabled
  • Cannot be installed on a Domain Controller or AD CS server

User Experience

When you receive an invitation email:

  1. Open the invitation email on your device
  2. Click the link to open the HYPR Mobile App and initiate pairing
  3. Click Get Started to begin
  4. Complete the device's FIDO authentication when prompted
  5. The HYPR Mobile App obtains a certificate from the Certificate Enrollment Service
  6. When the workstation is ready, click Continue
  7. On the workstation, click Scan QR to Login
  8. On the HYPR Mobile App, click the pairing label to open the account screen
  9. Click the matching QR icon beneath Tap to Unlock or press and Hold for Options
  10. Grant access to the Camera, if necessary, and scan the QR on the workstation screen
  11. You are passwordlessly logged into the workstation
Accounts Deregistration

When configured to perform a unique registration, HYPR links the Web and the computer account together. A deregistration of one account results in the corresponding counterpart account being removed as well.

Deregistration workflow:

Testing the Workflow

  1. Use the HYPR CC Console to create a magic link for the web application
  2. Enter the user's email in the Username field (must match Active Directory email)
  3. Click Create Magic Link
  4. Navigate to the Magic Link Web Link URL
  5. Select 'Register mobile device'
  6. Wait a few minutes for the server to process the certificate
  7. Tap on the Pending Computer bubble
  8. Scan the QR code on the Windows lock screen to complete the WFA pairing

Logs and Audit Trail

The HYPR CC Console provides administrators with an Audit Trail mechanism for tracking events that flow through the HYPR components. The Audit Trail events are stored in the HYPR database for a limited time. Customers can integrate their existing SIEM footprint with the HYPR Server for permanent storage of these audit events.